Skip to content

T1625 Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time.

There are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.

Item Value
ID T1625
Sub-techniques T1625.001
Tactics TA0028
Platforms Android
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0311 YiSpecter YiSpecter has hijacked normal application’s launch routines to display ads.2

Mitigations

ID Mitigation Description
M1002 Attestation Device attestation could detect unauthorized operating system modifications.
M1004 System Partition Integrity Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.1

Detection

ID Data Source Data Component
DS0013 Sensor Health Host Status

References

  1. Android. (n.d.). Verified Boot. Retrieved December 21, 2016. 

  2. Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.